Implementing a secure login screen with Silverlight

Implementing a secure login screen with Silverlight

Old forum URL: forums.lhotka.net/forums/t/7814.aspx


Gareth posted on Monday, October 19, 2009

Hi all, this is a bit off topic as far as CSLA is concerned. Has anyone developed a method of logging into a Silverlight application via a SSL connection and then switched back to non-SSL.

I have an existing Silverlight/CSLA application working fine, prompting for a username and password and authenticating with a backend database. However the username and password are sent via clear text. I'd like to secure them being sent via SSL. However I don't want to perform any other communications via SSL after that.
Is this possible? Rocky mentions it in his video series but as its outside the scope of CSLA he doesn't expand on it. I've had little experience of working with SSL connections on my projects due to being all in house work. Now I'm developing a Silverlight app with access via the internet and as such it needs to be more secure.
Any help or pointers are appreciated.

Regards,
Gareth.

sergeyb replied on Monday, October 19, 2009

A couple of thoughts.
1. Sounds like what you need to secure is WCF communication during login. You can setup a separate service and put it under HTTPS on a separate virtual directory.
2. You would need to set proxy address manually for initial login to make sure it is running over https. Then you can reset the address to default.
3. Technically, you can just post your service in a virtual directory that is setup for either https or http communications, and just use https for login.
4. You could also use custom encryption inside SL app itself / principal / identity classes.
5. if you use https you have to use appropriate clientaccesspolicy.xml to support https

I hope this helps.

Sergey Barskiy
Principal Consultant
office: 678.405.0687 | mobile: 404.388.1899

Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

-----Original Message-----
From: Gareth [mailto:cslanet@lhotka.net]
Sent: Monday, October 19, 2009 8:06 AM
To: Sergey Barskiy
Subject: [CSLA .NET] Implementing a secure login screen with Silverlight

Hi all, this is a bit off topic as far as CSLA is concerned. Has anyone developed a method of logging into a Silverlight application via a SSL connection and then switched back to non-SSL.

I have an existing Silverlight/CSLA application working fine, prompting for a username and password and authenticating with a backend database. However the username and password are sent via clear text. I'd like to secure them being sent via SSL. However I don't want to perform any other communications via SSL after that.
Is this possible? Rocky mentions it in his video series but as its outside the scope of CSLA he doesn't expand on it. I've had little experiences of working with SSL connection on my projects due to being all in house work. Now I'm developing a Silverlight app with access via the internet and as such it needs to be more secure.
Any help or pointers are appreciated.

Regards,
Gareth.

Copyright (c) Marimer LLC